The hackers who launched last month's cyberattack against Colonial Pipeline and disrupted fuel supplies to the Southeast U.S. were able to get into the system by stealing a single password, Joseph Blount, Colonial Pipeline CEO, told the U.S. Senate this week.

Blount testified before a U.S. Senate committee that the attack occurred using a legacy Virtual Private Network (VPN) system that did not have multi-factor authentication, meaning it could be accessed through a password without a second step, such as a text message, a common security safeguard.

“In the case of this particular legacy VPN, it only had single-factor authentication," Blount said. “It was a complicated password, I want to be clear on that. It was not a Colonial123-type password."

The Senate panel was convened to examine threats to critical U.S. infrastructure and the Colonial attack, which shut key conduits delivering fuel from Gulf Coast refineries to major East Coast markets.

After learning it was the victim of a cyberattack on May 7, Colonial Pipeline shut down 5,500 miles of pipeline and paid the hackers 75 Bitcoin—nearly $5 million—to regain access to its systems. The FBI has attributed the hack to a gang called DarkSide, which issued a veiled apology for its impact after the hack.

On Monday, the U.S. Justice Department announced it had recovered $2.3 million of the cryptocurrency ransom.

Even after regaining access to their systems, the company is still recovering from the attack and is bringing back seven finance systems that have been offline since May 7, Blount said.

Some senators suggested Colonial had not sufficiently consulted with the U.S. government before paying the ransom against federal guidelines. The FBI discourages organizations from making ransom payments because it encourages additional cyberattacks and doesn't guarantee the return of data.

Despite investing over $200 million over the last five years in its IT systems, which a company spokesperson later clarified included cybersecurity measures, Blount said Colonial did not have a plan in place to prevent a ransomware attack but did have an emergency response plan. The company notified the FBI within hours. However, the cyberattack demonstrated that much of Colonial's infrastructure remains highly vulnerable and the government and companies must work harder to prevent future hacks, senators said during the hearing. 

Blount said the company made the decision to pay the ransom and to keep the payment as confidential as possible because of concern for security, testifying, “It was our understanding that the decision was solely ours to make about whether to pay the ransom."

Cyberattacks also recently hit U.S. meatpacking plants owned by JBS as well as CNA Financial Corp. Sixty-one percent of cyber breaches are attributed to leveraged credentials, according to the Verizon 2021 Data Breach Investigations Report.

For more resources on protecting your agency's systems, visit the Agents Council for Technology (ACT).

AnneMarie McPherson is IA news editor.